RESTful Authentication and Entitlements
The AMPS distribution includes a module that provides authentication and entitlement via an external Web Service. For some installations, this module provides a convenient way to integrate with an existing authentication and entitlement infrastructure without creating an entitlement plugin.
In this release, the HTTP authentication module is provided with AMPS, but is not loaded by default. This module is an optional extension to the AMPS product, and while it is included with the AMPS distribution, the module must be explicitly loaded, enabled, and configured.
When using this module, AMPS requests permissions documents from an external service using http
or https
. The request to retrieve the permissions document includes the credentials provided with the client logon. If the request succeeds, the module considers the user to have successfully authenticated to AMPS. If the request to retrieve the permissions document fails, the module considers the user to have failed authentication. When authentication succeeds, the contents of the document returned specify the permissions that the module grants to the user.
The web service module expects that the web service endpoint will follow RESTful (HTTP) semantics. For example, the module uses standard HTTP headers for authentication and expects that if the credentials provided are not valid, the endpoint will return an HTTP 403 status code (or equivalent).
When to Use the Web Service Module
The AMPS Web Service Authentication and Entitlement module can be a good option when:
The site does not have an existing authentication and entitlements infrastructure for AMPS.
It is more feasible to develop and test a standalone web service than to develop a server plugin for AMPS.
Applications need to integrate with an existing authentication and entitlement system that offers limited Linux or C/C++ support.
An application that will use another authentication scheme in production needs an easy way to test changes to entitlements and entitlement scenarios that are difficult to replicate in the production system.
Permissions Document Format
This section describes the format of the permissions documents used by the Web Service Authentication and Entitlement module.
All documents are in JSON format, and consist of a set of permissions. The document is not required to contain the user name: this is intentional, and allows systems to easily provide identical permissions for all users in a group without having to create unique documents.
The entitlement document expresses each permission as a field of a JSON document. The following is an example of a permissions document:
The Web Authentication Module processes the entitlements in document order. Going through the document in order, this set of entitlements specifies the following permissions:
This user has permission to log on to AMPS, as set by the logon field.
This user does not have permission to make a replication connection to AMPS. A replication connection that uses these credentials will be refused.
This user has read permissions to the topic
test
for messages that match the filter/priority = 1
. This user does not have write permissions to the topic.The user has read and write permissions to every other topic in the instance without content restrictions.
The user has read permissions to the administrative interface for information under the
/amps/instance
path.The user has no other permissions to the administrative interface.
The Web Service Authentication and Entitlement Module also allows fine-grained control of the topics that a given user is allowed to publish to via replication with the replicated-topics
configuration element. The following permissions document shows sample permissions for a replication connection:
This document specifies that the user can only log on to AMPS via replication connections. The user has permission to replicate messages to the topic /events/P1
(using an exact match) and topics that begin with /orders/NYC
, as specified by the regular expression ^/orders/NYC/.*
. The user has no other permissions. In particular, the user cannot log on from an AMPS client, and could not publish to or subscribe to any topics even if logon
was changed to true
without an explicit topic
permission.
The structure of the permissions document is as follows:
Client Transport Permissions
These fields control access for applications to connect, including the SQL
tab of the Galvanometer (which is an AMPS client application).
logon
Specifies permission for an application to log on to AMPS.
When this field is present, the value of the field must be a boolean true
or false
.
topic
Controls access to topics within AMPS.
When this field is present, the value of the field must be a permission list, as described below.
If this field is not present, the user cannot publish to or subscribe to any topics.
Admin Transport Permissions
This field controls access to the administrative interface and statistics, including Galvanometer statistics.
admin
Controls access to the administrative interface.
When this field is present, the value of the field must be a permission list, as described below.
If this field is not present, the user has no access to the administrative interface.
Notice that, because the Admin console uses HTTP, there is no equivalent of the logon or replication-logon permission for the Admin transport.
Replication Transport Permissions
These fields control permission to replicate messages to this instance of AMPS.
replication-logon
Controls permission for a replication connection to log on to AMPS.
When this field is present, the value of this field must be a boolean true
or false
.
replicated-topics
An array containing the topics that this user can replicate to.
When this field is present, the value of the field must be an array of strings that specify topic names or regular expressions. For example, the following entry allows this user to replicate ONLY to topics that begin with /orders/NYC
If this field is not present in the permissions document, the user cannot replicate to any topics.
Connection Properties
This field allows you to set the user name for this connection to a value different than that used for logon.
user_name
Specifies that the module should set the authenticated user name of the connection to the provided value.
This option is ignored when the module is in EntitlementsOnly
mode.
If this field is not present in the returned permissions document, the authenticated user name is set to the value provided with the logon
request from the client.
Permissions Lists
Permissions lists within this document are arrays of entries. Each entry in the array is a JSON object with the following format:
topic
The name of the topic this permission definition applies to.
This name can be either a literal value, or a regular expression to use to match topic names.
A name is interpreted as a regular expression if it contains any characters used in regular expression matching (for example; ^
, $
, *
, .
and so on). Regular expression matching provides full support for PCRE regular expressions.
read
Defines the read permission for the topic.
The value of this field can be either true
, false
or an AMPS filter.
When the value is true
, the module grants read permission to the topic with no restrictions. When the value is false
, the module denies read permission. When the value is a filter, the module grants read permission to the topic only for those messages that match the filter.
write
Defines the write permission for the topic.
The value of this field can be either true
, false
or an AMPS filter.
When the value is true
, the module grants write permission to the topic with no restrictions. When the value is false
, the module denies write permission. When the value is a filter, the module grants write permission to the topic only for those messages that match the filter.
select
Defines the entitlement select list for this topic.
When this value is present, the module applies the select list provided to the topic entitlement.
Notice that this element should include only the select list specifier and not the enclosing brackets for the select list. For example, a valid select
element might be:
Configuring AMPS to use Web Service Authentication and Entitlements
The web service authentication and entitlement module is included in the AMPS distribution, but is not loaded by default. To load the module in AMPS, add the following configuration item to the Modules
block of the AMPS configuration file:
Options for the module may be set when the module is loaded, when the module is used for Authentication
or Entitlement
, or in both places. Options set when the module is loaded are inherited as the default values for all uses of the module in the instance. Options specified in an Authentication
or Entitlement
block override options set when the module is loaded.
For Authentication
, the module supports the following options:
ResourceURI
The URI to request when a user logs into AMPS using this module. This option is required.
For this option, AMPS substitutes the placeholder {{USER_NAME}}
with the name of the user being authenticated. For example, here are two possible values for the ResourceURI
:
http://cred-server:8080/admin/group_policy.json
http://cred-server:8080/{{USER_NAME}}.json
In the first case, AMPS requests a document with the current user name of the user logging on substituted for the {{USER_NAME}}
component of the URI. In the second case, the document is requested with the credentials of the user connecting, but AMPS requests the same document for each user.
There is no default for this parameter.
CredentialStore
Identifier for the entitlement store where the retrieved permission sets will be stored. When used for authentication, this is the name of the entitlement cache that the module stores parsed information into until AMPS requests the information.
In most cases, there is no need to set this parameter. When multiple transports use different ResourceURI
values, but those transports are expected to maintain the same information, specifying a CredentialStore
value can speed the logon process and reduce the number of copies of the parsed permissions document in memory. Likewise, if a module must ensure that permission sets are kept separate (so that, for example, an internal user named 'johndoe'
and a web user named 'johndoe'
have separate credentials), explicitly setting a CredentialStore
value can make it easier to verify that the permission sets are completely separate.
Default: The literal value of the ResourceURI
parameter.
ConnectionTimeout
The maximum amount of time to wait for a connection to the web server for each request, in milliseconds. If a connection is not made within the specified time, the module stops the connection attempt and the request fails.
Default: 2000
RequestTimeout
The maximum amount of time to wait for the web server to return a permissions document on each request, in milliseconds. If the server does not return a permissions document within the specified time, the module closes the connection and the request fails.
Increasing this timeout above the default value may produce potential stuck thread warnings if the web service is slow to respond.
Default: 5000
RetryCount
Sets the number of times to retry the request if retrieving the authentication document fails for any reason.
Default: 0
(only try once)
HTTPHeader
Sets a header to add to the HTTP request.
The configuration can specify any number of HTTPHeader
elements, and the module will provide each of the specified headers with the authentication request.
There is no default for this option. If no HTTPHeader
option is included, the module provides a standard set of headers.
This option supports variable replacement during an authentication request, as described in the following table.
This option supports expansion of the AMPS_USER_NAME
(and the USER_NAME
backward compatibility form) when the module is in EntitlementsOnly
mode.
EntitlementTimeout
Optionally, sets the amount of time to consider an entitlements document for a given user to be valid. After this timeout period, AMPS will check each entitlements document returned for that user to see if the entitlements have changed. If an authentication request returns a different entitlements document, the module will reset permissions for all connections currently connected with that username (which will disconnect those connections and clear the entitlement cache).
When this option is not provided, the module retains permissions until all connections with the current user name are disconnected, then removes cached permissions in the module and clears the AMPS entitlement cache.
This option is not supported in EntitlementsOnly
mode.
This option accepts a number of milliseconds or an AMPS interval.
The granularity for the EntitlementTimeout
is a second. Fractions of a second, or values less than one second, may be rounded or truncated.
ReuseConnections
Optionally, sets the module to reuse connections to the entitlement service when possible. By default, the module creates a new connection for each entitlement request.
When set to enabled
, the module will reuse HTTP connections when possible.
This option is only supported within the Modules
definition, and is set for all uses of the module within the configuration. The option will be ignored if it is set within the Authentication
or Entitlement
blocks.
Default: disabled
ServerAcceptsEmptyAuthId
By default, the module will refuse authentication requests that do not contain an auth ID without allowing the request to reach the server. Instead, the module returns an authentication failure to AMPS immediately. This is designed to protect the authentication web service from requests that cannot succeed.
In some environments, the web service providing authentication will authenticate a user based entirely on the authentication token provided as the password, and will return the authentication ID for AMPS to use in the permissions document.
When this option is set to true
, the module will submit authentication requests to the service even when no authentication ID is provided on the logon request from the AMPS client.
An authentication ID is still required for AMPS to be able to track permissions. When this option is set to true
, the authentication service must set the auth ID in the permissions document when no auth ID is provided in the permissions request. Otherwise, the authentication request will fail.
Default: false
The following tokens are expanded in the HTTPHeader
element of an authentication request:
AMPS_CLIENT_NAME
Client name provided in the logon request.
AMPS_CONNECTION_NAME
The connection name for the connection requesting logon, as assigned by the AMPS server (based on the transport name).
AMPS_CORRELATION_ID
The correlation ID provided on the logon request.
AMPS_MESSAGE_TYPE
The message type of the logon request.
AMPS_PASSWORD
The password provided with the logon request.
AMPS_REMOTE_ADDRESS
Remote address from which the logon request was made.
AMPS_USER_NAME
User name for the request.
CORRELATION_ID
The correlation ID provided on the logon request.
Legacy compatibility token
USER_NAME
User name for the request.
Legacy compatibility token
For Entitlement
blocks, the module requires one of the following two options. These options are used to specify the entitlements to use for the context.
ResourceURI
Identifier for the credential store to use for this entitlement context. This is a synonym for the CredentialStore
parameter. The module accepts this synonym to make it easier to verify that the Entitlement
context and the Authentication
context use the same values.
There is no default for this parameter. Either the ResourceURI
or CredentialStore
must be provided. If both are provided, the module uses the value of the CredentialStore
.
CredentialStore
Identifier for the entitlement cache. When used for entitlement, this is the name of the entitlement cache that AMPS uses to look up the information.
There is no default for this parameter. Either the ResourceURI
or CredentialStore
must be provided. If both are provided, the module uses the value of the CredentialStore
.
For example, the following configuration loads the module and sets default values that are used for client transports. The module is also used for the admin interface, but that interface uses a separate credential store. Notice that, since the HTTPHeader
options are set when the module is loaded, the custom headers are provided everywhere the module is used, regardless of the ResourceURI
or CredentialStore
values.
Using HTTPS for Authentication and Entitlement Requests
The Web Service Authentication and Entitlement Module optionally supports https
entitlement requests. When the ResourceURI
uses https
as the scheme, the module will attempt to use https
to connect to the web service.
By default, the module attempts to verify the identity of the remote web service, which requires a key file containing the key for the certificate authority that signed the certificate for the remote web service.
AMPS does not require that the certificate and key provided for outgoing https
requests be the same certificates used for incoming SSL connections to AMPS. However, if you have configured AMPS to accept SSL connections from AMPS clients, the certificates you use for those connections are often suitable for outgoing web authentication module connections, and the same certificates can be provided in both sections of the configuration file.
Certificate
The certificate to use for the AMPS connection to the web service. When configured, this certificate can be provided to the web service if the web service requests client authentication for the connection.
There is no default for this parameter.
Key
The key file to use for the AMPS connection to the web service. When configured, this key can be used for client authentication if the web service requests client authentication for the connection.
There is no default for this parameter.
CAKey
The certificate authority key. When configured, this key can be used for the AMPS server to verify the identity of the web service.
There is no default for this parameter. The CAKey
must be provided when AllowUnverfiedPeer
is set to false
, the default.
AllowUnverifiedPeer
Specifies whether AMPS requires the web service to identify itself. When this is set to false, the default, AMPS requires that the web service provides a certificate that can be verified with the configured CAKey
.
Default: false
AllowSelfSigned
Specifies whether AMPS will accept self-signed certificates for https
connections.
Default: false
The following configuration file shows a common way to configure the module for testing purposes when working with a server that accepts https
connections. While the outgoing connection will use SSL, the module will not provide certificates to the server, or request that the server verify its identity.
The following configuration file demonstrates how to configure the module to verify the identity of the remote server, provide verification of the AMPS server identity to that server, and require that all certificates be signed by a certificate authority.
Permissions Management and Request Flow
This section describes the request flow for the Web Service Authentication and Entitlement Module when used in the default mode.
Notice that authentication and entitlement are two separate steps. The module obtains the set of permissions during the authentication step, and then provides responses to AMPS entitlement requests during the entitlement step. What this means is that, in the default mode, a user must have authenticated using the module for an entitlement request to be allowed.
Authentication Step
Logon request received from the client.
Module requests an entitlement document (via
GET
) from a specified Web Service. The credentials in the logon request are provided as the credentials for theGET
. The module supports both Basic and Digest authentication to the Web Service, as described in RFC 7616 (HTTP digest access authentication) and RFC 7617 (The 'Basic' HTTP authentication scheme).If AMPS cannot retrieve the entitlement document using the provided credentials, AMPS returns a failure for the logon request.
If the Web Service Authentication and Entitlement module already has a parsed entitlement document for this user in the
CredentialStore
for this request, the module simply returns success for the authentication request.Otherwise, the module parses the entitlement document and stores the entitlements in the
CredentialStore
. If the module can't successfully parse the document, it returns a failure for the authentication request.
Entitlement Step
The module looks up the user name in the
CredentialStore
for the request. If the module has no stored entitlements for the user, the module denies the request.The module looks for a matching entitlement. Entitlements for a user are searched in exactly the same order in which they appear in the document. The module uses the first entitlement that matches the request. If no entitlements match, the module denies the request.
The module checks the entitlement to see if the entitlement grants access to the user or disallows access to the user. If the entitlement disallows access, the module denies the request.
The module allows the request and applies any filter specified in the matching entitlement.
Entitlement Reset
The module caches the set of entitlements for a user while that user is connected. As described in the previous section, the module parses the returned permissions document if the module does not have an existing set of entitlements for that user or if the EntitlementTimeout
has expired and the document has changed.
The module provides two mechanisms for automatically resetting the entitlement cache and updating permissions for the user:
The module provides "reset cache on disconnect" entitlement behavior when in authentication and entitlement mode. The module resets both the AMPS entitlement cache and the information on the parsed permissions document for a given user when all of the connections for that user are closed. In practical terms, this means that changing the entitlement document returned by the web service has no immediate effect on the permission set that AMPS enforces. AMPS will continue to use the permissions in the document returned from the first logon request for that user until all connections for that user have been closed. When used in authentication and entitlement mode, this functionality is always active; when the last connection for a given user disconnects, the AMPS entitlement cache and the module entitlements are reset.
Notice that this also means that if AMPS entitlements are reset for a user (for example, using the
amps-action-do-reset-entitlement
action), this will also clear the module cache, since all connections for that user will be closed. Likewise, a user can always update permissions by completely logging out of AMPS and then logging back in.Optionally, the module can set an
EntitlementTimeout
. When this is set, a change to the user permissions after the timeout period will reset any current connections for that user, clear the AMPS entitlement cache, and replace existing permissions with the contents of the permissions document returned. Notice that AMPS only has access to the entitlements document when a user is authenticated. AMPS does not retain the logon credentials for a user, and only retrieves documents from the web service during logon. This means that a change in entitlements can only be checked during the logon process for the same user name.
This functionality is not available when the module is in EntitlementOnly
mode, as described below. When used in EntitlementOnly
mode, the module does not track connection or disconnection, so entitlements are cached in the module for the lifetime of the instance.
Entitlement Only Mode
Starting in AMPS 5.3.1, the HTTP authentication and entitlements module supports a mode where another module can be used for authentication, and this module can be used for entitlements. To enable this mode, include the following configuration item in the Modules
block that loads the module:
When an EntitlementOnly
element is provided, the module cannot be used to authenticate users. Instead, the module makes an unauthenticated HTTP request the first time that permissions are requested for a given user ID. The permissions document returned is cached, and used for subsequent requests.
When using the module in this mode, the module may not be used in an Authentication
block. The module configuration or Entitlement
block configuration must provide a ResourceURI
, and may provide the other options normally accepted in the Authentication
block (for example, HTTPHeader
, RetryCount
, and so on).
In this mode, the module does not see connect and logon requests. Therefore, the module does not provide automatic entitlement cache reset in this mode and the module caches the permissions for a given user in a given credential store for the lifetime of the instance.
Entitlement Only Request Flow
This section describes the request flow when the module is operating in entitlement only mode. This is very similar to the flow in the default mode, except that all of the processing happens as a part of the first entitlement request for a given user ID, and no credential information is available for the request to the HTTP server.
Entitlement request is received from AMPS.
The module looks up the user name in the
CredentialStore
for the request. If the module has stored entitlements for the user, the module proceeds to step 6.Module requests an entitlement document (via
GET
) from a specified Web Service. No credentials are provided on this request.If the module cannot retrieve the entitlement document, the module returns a failure for the entitlement request.
The module parses the returned permissions document. If an error occurs while parsing the permissions document, the module returns a failure for the entitlement request. Otherwise, the module loads the parsed permissions into the
CredentialStore
.The module uses the
CredentialStore
to look for a matching entitlement. Entitlements for a user are searched in exactly the same order in which they appear in the document. The module uses the first entitlement that matches the request. If no entitlements match, the module denies the request.The module checks the entitlement to see if the entitlement grants access to the user or disallows access to the user. If the entitlement disallows access, the module denies the request.
If the module allows the request, any filters specified in the matching entitlement are applied.
Last updated